Data protection in procurement procedures


Data protection in procurement procedures - between efficiency and conformity

Since May 2018, the European Data Protection Basic Regulation (DSGVO) has been directly applicable in all EU Member States. The reform has not only led to the harmonisation of data protection law in Europe, but has also led to extensive public debate and media coverage. There is almost no company that did not have to deal with data protection issues in 2018. The DSGVO's much more prominent topic of data protection has increasing influence on everyday business life.

Data protection law implications also concern the area of public tenders. Nevertheless, the issue only attracted attention on the part of public purchasers after a considerable delay. When our experts, lawyer Dr. Söntje Julia Hilberg, LL.M. (IT/Data Protection) and lawyer Sebastian Schnitzler, LL.M. (Public Procurement Law), first dealt with issues at the interface of public procurement and data protection law a few years ago, it still felt like pioneering work. Since the "data protection year 2018" at the latest, however, the topic has also received increased attention from others. A further driver for the increasing importance of this topic is the mandatory implementation of electronic tendering procedures (eTendering) from October 2018. In contrast, processes that are not obviously relevant to data protection, especially in public-sector business processes, still present themselves as little highlighted in the ongoing discussion. But just also here there are regular interfaces to data processing in the private sector.

In particular, when public contracts are awarded, personal data - such as names, addresses, certificates and other personal data such as references - are transferred between the public authorities as the awarding authority and bidders from the private sector. Thus, the processing of personal data takes place at all stages of the procurement procedure. This is often overlooked - however, public clients as well as companies participating in the procedure are responsible for the protection of personal data as addressees of the DSGVO. Data processing in the award procedure must also be based on data protection principles and be appropriate, transparent and limited to what is necessary. In this respect, the mandatory electronic awarding of contracts since 2018 has also brought with it new data processing processes, which is why those involved in the award procedure, namely contracting authorities, bidders and operators of awarding platforms, are urged to rethink their data protection roles and corresponding obligations.

The primary goal of public procurement must not be lost sight of. As a result, it is necessary to acquire a previously identified procurement object at the most possible economical conditions. Data protection law does not change this.

The crux lies therefore in particular in linking the requirements at the design of an efficient award procedure with the requirements at the data protection-legal compliance and to connect as homogeneously as possible.

Last year, Söntje Hilberg and Sebastian Schnitzler regularly exchanged views on this and other topics with public clients, bidders and providers of eProcurement solutions. This often also took place outside the regular mandate work: For example, the two had the opportunity to present and discuss the topic at public events such as the 5th German Award Day, the Smart Country Convention in Berlin as well as within the framework of regular nationwide seminars of the DVNW Academy.

The intensive exchange during the various events made it clear that numerous questions have not yet been conclusively clarified. This concerns all the conversion of the data protection-legal requirements in practice, straight with view to the business processes to be found in the public area. Often awarding authorities are already confronted with complex processes and documentation obligations due to the framework conditions of procurement law and are uncertain how to deal with the additional requirements from data protection law without this leading to inefficiencies.

The following questions regularly arise in the discussion: 
  • What is the role of the various parties involved in the respective stage of the award procedure in terms of data protection law?
  • Who has to fulfil which information duties towards the data subjects and when? How, when and how can the information in the award procedure be implemented in a legally secure manner?
  • What specific data protection requirements should be taken into account in the electronic procurement procedure?
  • What can I demand from contractors in terms of data protection when awarding services?
  • And: What happens if data protection obligations are violated?

Most of these questions can be answered pragmatically; and existing processes can often be adapted with manageable effort. But such solutions are of course often hindered by a certain scepticism and sometimes also by the feeling of overstrain resulting from a perceived over-regulation. The overarching issues of whether and, if so, how to approach the issue often blocks the development and implementation of pragmatic approaches. In this respect, our seminar participants confirm again and again that the professionally moderated exchange on the partly very individual questions and the pointing out and discussion of practical solutions contributes to clearing up misunderstandings and shyly reducing existing ones with regard to the topic of data protection.

We are therefore looking forward to continuing to think ahead and to accompany the change in practice.

Did you find this useful?